Sunday, July 22, 2007

Super Wall

When you setup your Facebook account, you are given you a virtual "wall" where friends can post public comments to your profile. This is kind of cool, but there are some limitations. You cannot post an image or a video to a friend's wall. Well, the inventors of Super Wall have come to the rescue. This application allows simple text messages, picture messages, and even links to web videos served up by Google and by Youtube.

My original testing with Super Wall included trying to link to an off-site image, in an attempt to track profile views. Facebook counters this by caching every image used in third party applications. Therefore, all requests to images are effectively handled locally by Facebook. This helps reduce the server load on any third party websites.

Since my first attempt was shot down, I decided to look into other aspects of Super Wall. For my second test, I posted a simple text message to my own Super Wall. Awesome, everything is working. Finally, I took a look at what was going on behind the scenes.

The fb_sig_user field is the Facebook user id of the person posting the comment, and owner_id is the Facebook user id of the Super Wall’s owner. In this case both of these fields will be equal to your Facebook user id.

Super Wall ensures that you are on the person's friend list before you can post to his or her Super Wall. However, if you change the value of fb_sig_user to a friend’s id, the result will be a wall post from your friend. You have now spoofed a comment from one of your friends onto your own wall. Wow, this could get ugly.

After further tweaking, I was also able to post on a friend's Super Wall as someone else, simply by altering both the owner_id and fb_sig_profile fields accordingly. The person you are posting as does have to be a friend of the owner's wall in order for this to work.

Phishers could easily abuse Super Wall by spoofing messages to people by assuming a friend’s identity. The phisher could then post malicious links, and the person would likely not even think twice about going to the given address.